CISA KEV Alert: Three Actively Exploited Vulnerabilities Demand Immediate Action
Arista EOS, Google Chromium V8, and Cisco Catalyst SD-WAN Manager added to the Known Exploited Vulnerabilities Catalog — here's what to do in the next 30 days.
Published 2026-06-10
# CISA KEV Alert: Three Actively Exploited Vulnerabilities Demand Immediate Action
On June 9, 2026, CISA updated its Known Exploited Vulnerabilities (KEV) Catalog with three new entries tied to confirmed, active exploitation — affecting Arista Extensible Operating System, Google Chromium V8, and Cisco Catalyst SD-WAN Manager.
What the Advisory Says
CISA added the following three vulnerabilities under Binding Operational Directive (BOD) 22-01, which mandates that federal civilian agencies remediate KEV-listed flaws within defined deadlines:
- CVE-2026-7473 — Arista Extensible Operating System: Incomplete Comparison with Missing Factors Vulnerability
- CVE-2026-11645 — Google Chromium V8: Out-of-Bounds Read and Write Vulnerability
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: Improper Encoding or Escaping of Output Vulnerability
All three involve weakness classes — flawed logic comparisons, memory boundary violations, and output-encoding failures — that are reliably weaponized in real-world attacks. The KEV Catalog exists precisely because these are not theoretical risks; CISA only adds entries when exploitation evidence is confirmed.
Why This Matters Beyond Federal Agencies
BOD 22-01 is binding on federal civilian agencies, but the compliance ripple extends much further. If your organization operates under any of these frameworks, this advisory has direct implications for you:
- NIS2 (Article 21): Operators of essential and important entities must implement vulnerability handling and patching as part of their mandatory technical measures. Active KEV entries are exactly the kind of risk NIS2 supervisory authorities will scrutinize after an incident.
- ISO 27001 (Annex A, Control 8.8): Management of technical vulnerabilities requires timely identification and remediation. A catalogued, actively exploited CVE with a published patch window is a clear audit finding if left unaddressed.
- SOC 2 (CC7.1): The Common Criteria require that security threats and vulnerabilities be identified and monitored. Ignoring a KEV-listed flaw undermines any CC7 evidence you present to auditors.
- PCI DSS (Requirement 6.3): Critical and high vulnerabilities must be addressed within defined timeframes. KEV status is strong evidence of criticality.
- HIPAA Security Rule (§ 164.308(a)(1)): Risk analysis must account for known, exploited weaknesses in systems that touch ePHI — and network infrastructure like SD-WAN and browser engines frequently does.
Affected products span network operating systems (Arista EOS), widely deployed SD-WAN infrastructure (Cisco Catalyst), and the browser engine underpinning Chrome-based applications (Chromium V8). That combination means most enterprise environments have at least one exposure surface.
What to Do in the Next 7–30 Days
Days 1–7 — Identify and isolate: Run an authenticated scan across your environment to confirm which assets run affected Arista EOS versions, Cisco Catalyst SD-WAN Manager builds, and Chromium-based browsers. Flag any internet-exposed or internally privileged instances immediately.
Days 7–14 — Patch or mitigate: Apply vendor-supplied patches as soon as they are validated in your change process. Where patching cannot be completed immediately, implement compensating controls — segment affected devices, restrict administrative access, and increase logging fidelity on those assets.
Days 14–30 — Document and map to frameworks: Capture remediation evidence — scan results before and after, change tickets, approval records. Map this evidence to each applicable framework control (NIS2 Article 21, ISO 27001 Annex A 8.8, SOC 2 CC7.1, PCI DSS 6.3, HIPAA §164.308). Gaps identified now are far less costly than findings surfaced during an audit or breach investigation.
Ongoing — Automate KEV monitoring: Manual tracking of the KEV Catalog is error-prone at scale. Integrate automated alerting so that future additions trigger workflow immediately rather than being caught in a weekly review cycle.
Start a Free Trial of RDS GoSOC AI
RDS GoSOC AI is a multi-tenant AI SOC and compliance platform that continuously maps your security posture against 16 frameworks simultaneously — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS. You can start a 14-day free trial at platform.reremrdsgosoc.com/register with every paid feature unlocked and no credit card required. Once inside, open the User Guide tab for a full walkthrough, and use the Sage handle to ask setup questions in plain language. When the next KEV batch drops, you will already have the control mappings in place to respond in hours rather than days.